diff --git a/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch new file mode 100644 index 0000000000..c41642ae10 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch @@ -0,0 +1,30 @@ +From a3068c6edb81c0b0b9a2ced82e8632c79314e409 Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Sun, 7 Jul 2024 18:46:19 +1000 +Subject: [PATCH] Cast to sockaddr * in systemd interface. + +Fixes build with musl libx. bz#3707. + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/8b664df75966e5aed8dabea00b8838303d3488b8] + +Signed-off-by: Jose Quaresma +--- + openbsd-compat/port-linux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c +index 4c024c6d2..8adfec5a7 100644 +--- a/openbsd-compat/port-linux.c ++++ b/openbsd-compat/port-linux.c +@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...) + error_f("socket \"%s\": %s", path, strerror(errno)); + goto out; + } +- if (connect(fd, &addr, sizeof(addr)) != 0) { ++ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) { + error_f("socket \"%s\" connect: %s", path, strerror(errno)); + goto out; + } +-- +2.45.2 + diff --git a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch deleted file mode 100644 index 4925c969fe..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch +++ /dev/null @@ -1,225 +0,0 @@ -From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001 -From: Damien Miller -Date: Wed, 3 Apr 2024 14:40:32 +1100 -Subject: [PATCH] notify systemd on listen and reload - -Standalone implementation that does not depend on libsystemd. -With assistance from Luca Boccassi, and feedback/testing from Colin -Watson. bz2641 - -Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c] - -Signed-off-by: Jose Quaresma ---- - configure.ac | 1 + - openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- - openbsd-compat/port-linux.h | 5 ++ - platform.c | 11 +++++ - platform.h | 1 + - sshd.c | 2 + - 6 files changed, 115 insertions(+), 2 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 82e8bb7c1..854f92b5b 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -915,6 +915,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) - AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) - AC_DEFINE([USE_BTMP]) - AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer]) -+ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload]) - inet6_default_4in6=yes - case `uname -r` in - 1.*|2.0.*) -diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c -index 0457e28d0..df7290246 100644 ---- a/openbsd-compat/port-linux.c -+++ b/openbsd-compat/port-linux.c -@@ -21,16 +21,23 @@ - - #include "includes.h" - --#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) -+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ -+ defined(SYSTEMD_NOTIFY) -+#include -+#include -+ - #include -+#include - #include - #include - #include - #include -+#include - - #include "log.h" - #include "xmalloc.h" - #include "port-linux.h" -+#include "misc.h" - - #ifdef WITH_SELINUX - #include -@@ -310,4 +317,90 @@ oom_adjust_restore(void) - return; - } - #endif /* LINUX_OOM_ADJUST */ --#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ -+ -+#ifdef SYSTEMD_NOTIFY -+ -+static void ssh_systemd_notify(const char *, ...) -+ __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1))); -+ -+static void -+ssh_systemd_notify(const char *fmt, ...) -+{ -+ char *s = NULL; -+ const char *path; -+ struct stat sb; -+ struct sockaddr_un addr; -+ int fd = -1; -+ va_list ap; -+ -+ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) -+ return; -+ -+ va_start(ap, fmt); -+ xvasprintf(&s, fmt, ap); -+ va_end(ap); -+ -+ /* Only AF_UNIX is supported, with path or abstract sockets */ -+ if (path[0] != '/' && path[0] != '@') { -+ error_f("socket \"%s\" is not compatible with AF_UNIX", path); -+ goto out; -+ } -+ -+ if (path[0] == '/' && stat(path, &sb) != 0) { -+ error_f("socket \"%s\" stat: %s", path, strerror(errno)); -+ goto out; -+ } -+ -+ memset(&addr, 0, sizeof(addr)); -+ addr.sun_family = AF_UNIX; -+ if (strlcpy(addr.sun_path, path, -+ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { -+ error_f("socket path \"%s\" too long", path); -+ goto out; -+ } -+ /* Support for abstract socket */ -+ if (addr.sun_path[0] == '@') -+ addr.sun_path[0] = 0; -+ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { -+ error_f("socket \"%s\": %s", path, strerror(errno)); -+ goto out; -+ } -+ if (connect(fd, &addr, sizeof(addr)) != 0) { -+ error_f("socket \"%s\" connect: %s", path, strerror(errno)); -+ goto out; -+ } -+ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { -+ error_f("socket \"%s\" write: %s", path, strerror(errno)); -+ goto out; -+ } -+ debug_f("socket \"%s\" notified %s", path, s); -+ out: -+ if (fd != -1) -+ close(fd); -+ free(s); -+} -+ -+void -+ssh_systemd_notify_ready(void) -+{ -+ ssh_systemd_notify("READY=1"); -+} -+ -+void -+ssh_systemd_notify_reload(void) -+{ -+ struct timespec now; -+ -+ monotime_ts(&now); -+ if (now.tv_sec < 0 || now.tv_nsec < 0) { -+ error_f("monotime returned negative value"); -+ ssh_systemd_notify("RELOADING=1"); -+ } else { -+ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", -+ ((uint64_t)now.tv_sec * 1000000ULL) + -+ ((uint64_t)now.tv_nsec / 1000ULL)); -+ } -+} -+#endif /* SYSTEMD_NOTIFY */ -+ -+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ -diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h -index 3c22a854d..14064f87d 100644 ---- a/openbsd-compat/port-linux.h -+++ b/openbsd-compat/port-linux.h -@@ -30,4 +30,9 @@ void oom_adjust_restore(void); - void oom_adjust_setup(void); - #endif - -+#ifdef SYSTEMD_NOTIFY -+void ssh_systemd_notify_ready(void); -+void ssh_systemd_notify_reload(void); -+#endif -+ - #endif /* ! _PORT_LINUX_H */ -diff --git a/platform.c b/platform.c -index 4fe8744ee..9cf818153 100644 ---- a/platform.c -+++ b/platform.c -@@ -44,6 +44,14 @@ platform_pre_listen(void) - #endif - } - -+void -+platform_post_listen(void) -+{ -+#ifdef SYSTEMD_NOTIFY -+ ssh_systemd_notify_ready(); -+#endif -+} -+ - void - platform_pre_fork(void) - { -@@ -55,6 +63,9 @@ platform_pre_fork(void) - void - platform_pre_restart(void) - { -+#ifdef SYSTEMD_NOTIFY -+ ssh_systemd_notify_reload(); -+#endif - #ifdef LINUX_OOM_ADJUST - oom_adjust_restore(); - #endif -diff --git a/platform.h b/platform.h -index 7fef8c983..5dec23276 100644 ---- a/platform.h -+++ b/platform.h -@@ -21,6 +21,7 @@ - void platform_pre_listen(void); - void platform_pre_fork(void); - void platform_pre_restart(void); -+void platform_post_listen(void); - void platform_post_fork_parent(pid_t child_pid); - void platform_post_fork_child(void); - int platform_privileged_uidswap(void); -diff --git a/sshd.c b/sshd.c -index b4f2b9742..865331b46 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -2077,6 +2077,8 @@ main(int ac, char **av) - ssh_signal(SIGTERM, sigterm_handler); - ssh_signal(SIGQUIT, sigterm_handler); - -+ platform_post_listen(); -+ - /* - * Write out the pid file after the sigterm handler - * is setup and the listen sockets are bound --- -2.45.2 - diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch index 8763f30f4b..f424288e37 100644 --- a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch +++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch @@ -1,4 +1,4 @@ -From f5a4dacc987ca548fc86577c2dba121c86da3c34 Mon Sep 17 00:00:00 2001 +From 5cc897fe2effe549e1e280c2f606bce8b532b61e Mon Sep 17 00:00:00 2001 From: Mikko Rapeli Date: Mon, 11 Sep 2023 09:55:21 +0100 Subject: [PATCH] regress/banner.sh: log input and output files on error @@ -37,12 +37,13 @@ See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178 Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437] Signed-off-by: Mikko Rapeli +Signed-off-by: Jose Quaresma --- regress/banner.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/regress/banner.sh b/regress/banner.sh -index a84feb5a..de84957a 100644 +index a84feb5..de84957 100644 --- a/regress/banner.sh +++ b/regress/banner.sh @@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do @@ -56,6 +57,3 @@ index a84feb5a..de84957a 100644 done trace "test suppress banner (-q)" --- -2.34.1 - diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch new file mode 100644 index 0000000000..b90cd2e69d --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch @@ -0,0 +1,35 @@ +From fb762172fb678fe29327b667f8fe7380962a4540 Mon Sep 17 00:00:00 2001 +From: Jose Quaresma +Date: Mon, 15 Jul 2024 18:43:08 +0100 +Subject: [PATCH] regress/test-exec: use the absolute path in the SSH env + +The SSHAGENT_BIN was changed in [1] to SSH_BIN but +the last one don't use the absolute path and consequently +the function increase_datafile_size can loops forever +if the binary not found. + +[1] https://github.com/openssh/openssh-portable/commit/a68f80f2511f0e0c5cef737a8284cc2dfabad818 + +Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/510] + +Signed-off-by: Jose Quaresma +--- + regress/test-exec.sh | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/regress/test-exec.sh b/regress/test-exec.sh +index 7afc2807..175f554b 100644 +--- a/regress/test-exec.sh ++++ b/regress/test-exec.sh +@@ -175,6 +175,11 @@ if [ "x$TEST_SSH_OPENSSL" != "x" ]; then + fi + + # Path to sshd must be absolute for rexec ++case "$SSH" in ++/*) ;; ++*) SSH=`which $SSH` ;; ++esac ++ + case "$SSHD" in + /*) ;; + *) SSHD=`which $SSHD` ;; diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch deleted file mode 100644 index 3e7c707100..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch +++ /dev/null @@ -1,27 +0,0 @@ -Description: fix signal handler race condition -Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070497 - -CVE: CVE-2024-6387 - -Upstream-Status: Backport -https://git.launchpad.net/ubuntu/+source/openssh/commit/?h=applied/ubuntu/jammy-devel&id=b059bcfa928df4ff2d103ae2e8f4e3136ee03efc - -Signed-off-by: Jose Quaresma - ---- a/log.c -+++ b/log.c -@@ -452,12 +452,14 @@ void - sshsigdie(const char *file, const char *func, int line, int showfunc, - LogLevel level, const char *suffix, const char *fmt, ...) - { -+#if 0 - va_list args; - - va_start(args, fmt); - sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, - suffix, fmt, args); - va_end(args); -+#endif - _exit(1); - } - diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest index b2244d725a..c9100f9f37 100755 --- a/meta/recipes-connectivity/openssh/openssh/run-ptest +++ b/meta/recipes-connectivity/openssh/openssh/run-ptest @@ -1,5 +1,6 @@ #!/bin/sh +export TEST_SSH_SSH=ssh export TEST_SHELL=sh export SKIP_UNIT=1 diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb similarity index 96% rename from meta/recipes-connectivity/openssh/openssh_9.7p1.bb rename to meta/recipes-connectivity/openssh/openssh_9.8p1.bb index 4680d12be5..9554b4783f 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb @@ -23,11 +23,11 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://volatiles.99_sshd \ file://run-ptest \ file://sshd_check_keys \ + file://0001-Cast-to-sockaddr-in-systemd-interface.patch \ file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ - file://0001-notify-systemd-on-listen-and-reload.patch \ - file://CVE-2024-6387.patch \ + file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \ " -SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" +SRC_URI[sha256sum] = "dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3" CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here." @@ -195,7 +195,7 @@ ALLOW_EMPTY:${PN} = "1" PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" FILES:${PN}-scp = "${bindir}/scp.${BPN}" FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" -FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" +FILES:${PN}-sshd = "${sbindir}/sshd ${libexecdir}/sshd-session ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys" FILES:${PN}-sftp = "${bindir}/sftp"